Architecture Review
ARCHIVED: Snapshot from 2026-01-14. See services.md for current state.
Comprehensive analysis of homelab architecture with domain coexistence strategy. Reviewed 2026-01-14.
Executive Summary
| Aspect |
Status |
Confidence |
| Architecture Design |
Excellent |
High |
| Service Selection (22) |
Well-balanced |
High |
| Network Topology |
Clear |
High |
| Documentation |
75% complete |
Medium |
| Deployment Readiness |
10% (mostly pending) |
Low |
| Redundancy Model |
Strong |
High |
| Security Model |
Sound |
High |
Verdict: Architecture is conceptually excellent but requires clarification on implementation details before deployment.
Current Architecture Overview
Three-Tier Distributed Model
┌─────────────────────────────────────────────────────────────────┐
│ INTERNET │
└────────────────────────────────────────┬────────────────────────┘
│
┌──────────────────────────┼───────────────────┐
│ │ │
[Tethering] [Home ISP/WiFi] [Vultr VPS]
│ │ 100.77.172.46
│ │
[Samsung A13] [Home Router] [DERP Relay]
│ 192.168.0.0/24 [Pi-hole]
│ │ [Uptime Kuma]
[Beryl AX] [Mini PC - Proxmox] [ntfy]
192.168.8.1 192.168.0.237 [changedetection]
/ \ │ [Restic REST]
/ \ [OPNsense VM]
MacBook 192.168.0.1
192.168.8.10 192.168.8.5 │
[Mobile Kit] [vmbr0 - LAN]
│
┌───────────────┼────────────┐
│ │ │
[Docker VM] [RPi 4-Start9] [Old PC/NAS]
192.168.0.10 192.168.0.11 192.168.0.12
Environment Summary
| Environment |
Hardware |
Role |
Key Services |
| Mobile Kit |
MacBook, Beryl AX, Samsung A13 |
On-demand, portable |
- |
| Fixed Homelab |
Mini PC, RPi 4, NAS |
Always-on (24/7) |
Media, Bitcoin, storage, automation |
| VPS |
Vultr US ($6/mo) |
Always-on (24/7) |
Headscale, DERP, monitoring |
Strengths
What's Working Well
| Strength |
Description |
| Three-tier redundancy |
Mobile, Fixed, VPS operate independently |
| Privacy-first model |
Data stays home, VPS is helper-only |
| Mesh sovereignty |
Headscale self-hosted on VPS, not vendor lock-in |
| Service diversity |
Good balance: media, automation, bitcoin, storage |
| Hardware selection |
Appropriate specs for each role |
| Documentation |
Comprehensive diagrams and references |
Key Design Wins
- Headscale on VPS - 24/7 mesh coordination, mobile kit can be off
- Mobile kit on-demand - Saves energy/heat, mesh still works when off
- Pi-hole everywhere - Consistent DNS/ad-blocking across environments
- Start9 for Bitcoin - Maximum sovereignty, privacy-first
- Syncthing over Nextcloud - Peer-to-peer, no central server
Gaps & Issues Identified
Critical (Fix Before Deployment)
| Issue |
Impact |
Solution |
Status |
| Headscale backup only daily |
Lose DB = re-register ALL devices |
Increase to hourly, add restore testing |
✅ Fixed |
| No disaster recovery runbook |
Can't recover from failures |
Document recovery procedures |
✅ Fixed |
| Caddy reverse proxy undefined |
Can't expose services externally |
Create Caddyfile with subdomain mappings |
✅ Fixed |
| MQTT missing |
Home Assistant ↔ Frigate broken |
Add Mosquitto to Docker VM |
✅ Fixed |
High Priority
| Issue |
Impact |
Solution |
| Old PC/NAS specs TBD |
Can't plan storage/UPS properly |
Document hardware |
| VPS RAM tight (~150MB headroom) |
May OOM under load |
Audit actual usage, consider upgrade |
| No docker-compose files |
Can't deploy services |
Create compose files for each environment |
| Certificate strategy unclear |
SSL/TLS for public services |
Document Caddy auto-SSL with domains |
Medium Priority
| Issue |
Impact |
Solution |
| No VLAN documentation |
IoT isolation unclear |
Document OPNsense VLAN strategy |
| Monitoring alerts undefined |
Don't know when things break |
Configure Uptime Kuma + ntfy |
| Backup testing absent |
Untested backups = no backups |
Create restore test procedure |
| Port 8080 conflict |
qBittorrent vs Pi-hole alt |
Reassign one service |
Low Priority (Future)
| Issue |
Impact |
Solution |
| Tailscale IP assignment policy |
New device confusion |
Document IP allocation scheme |
| Bitcoin pruning strategy |
Disk may fill up |
Document blockchain management |
| Syncthing limitations |
No WebDAV/CalDAV |
Accept limitation or add solution |
Domain Coexistence Strategy
The Two-Domain Model
| Domain |
Purpose |
Audience |
| cronova.dev |
Personal homelab infrastructure |
You, family |
|
Business, customer-facing |
Customers, public |
Why Two Domains?
┌─────────────────────────────────────────────────────────────────┐
│ SEPARATION OF CONCERNS │
├─────────────────────────────────────────────────────────────────┤
│ │
│ cronova.dev <BUSINESS_DOMAIN> │
│ ─────────── ────────── │
│ • Personal infrastructure • Professional presence │
│ • Homelab services • Customer-facing apps │
│ • Geek cred • Business credibility │
│ • Guarani cultural flex • Easy to spell/remember │
│ • ~$30/year • ~$12/year │
│ │
│ "ssh admin@cronova.dev" "Visit <BUSINESS_DOMAIN>" │
│ │
└─────────────────────────────────────────────────────────────────┘
Subdomain Architecture
cronova.dev (Personal Infrastructure)
cronova.dev
├── hs.cronova.dev → Headscale (VPS)
├── dns.cronova.dev → Pi-hole (all environments)
├── git.cronova.dev → Forgejo (NAS)
├── jara.cronova.dev → Home Assistant (Docker VM)
├── yrasema.cronova.dev → Jellyfin (Docker VM)
├── vault.cronova.dev → Vaultwarden (Docker VM) [PUBLIC]
├── status.cronova.dev → Uptime Kuma (VPS) [PUBLIC]
├── notify.cronova.dev → ntfy (VPS) [PUBLIC]
├── btc.cronova.dev → Start9 (RPi 4)
├── nas.cronova.dev → Syncthing/Samba (NAS)
└── watch.cronova.dev → changedetection (VPS)
(Business)
<BUSINESS_DOMAIN>
├── <BUSINESS_DOMAIN> → Company landing page
├── <BUSINESS_DOMAIN> → Customer APIs
├── <BUSINESS_DOMAIN> → Web application / SaaS
├── <BUSINESS_DOMAIN> → Documentation
└── <BUSINESS_DOMAIN> → Sales demos
Service Access Model
| Service |
Public |
Tailscale |
Rationale |
| Vaultwarden |
Yes |
Yes |
Need passwords everywhere |
| Uptime Kuma |
Yes (read-only) |
Yes |
Public status page |
| ntfy |
Yes |
Yes |
Push notifications from anywhere |
| Jellyfin |
No |
Yes |
Media is personal |
| Home Assistant |
No |
Yes |
Home automation is private |
| Start9 |
No |
Yes |
Bitcoin = maximum privacy |
| Forgejo |
No |
Yes |
Code is private |
| Syncthing |
No |
Yes |
Files are private |
| <> |
Yes |
No |
Public website |
|
Yes |
No |
Customer API |
DNS Architecture with Domains
Cloudflare Configuration
┌──────────────────────────────────────────────────────────────────┐
│ Cloudflare DNS │
│ (Registrar + DNS + CDN) │
├──────────────────────────────────────────────────────────────────┤
│ │
│ cronova.dev <BUSINESS_DOMAIN> │
│ ─────────── ────────── │
│ A @ → VPS_IP A @ → VPS_IP │
│ A * → VPS_IP (wildcard) A * → VPS_IP │
│ AAAA @ → VPS_IPv6 AAAA @ → VPS_IPv6 │
│ AAAA * → VPS_IPv6 AAAA * → VPS_IPv6 │
│ │
│ Proxy: Orange cloud (CDN) for public services │
│ Proxy: Grey cloud (DNS only) for Tailscale services │
│ │
└──────────────────────────────────────────────────────────────────┘
Traffic Flow
┌─────────────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ │
│ cronova.dev (homelab) <BUSINESS_DOMAIN> (business) │
└────────────────────────────────┬─────────────────────────────────────────┘
│
[Cloudflare DNS]
│
[VPS - Caddy]
100.77.172.46
┌──────────┴──────────┐
│ │
[Public Services] [Tailscale Mesh]
───────────────── ────────────────
status.cronova.dev All internal
notify.cronova.dev services via
vault.cronova.dev 100.64.0.x
<BUSINESS_DOMAIN>
<BUSINESS_DOMAIN>
│
┌─────────────────────┼─────────────────────┐
│ │ │
[Mobile Kit] [Fixed Homelab] [VPS Helper]
MacBook + Beryl AX Mini PC + RPi 4 Vultr US
100.64.0.1-2 + NAS 100.77.172.46
100.68.63.168+
Caddy Reverse Proxy Config (Proposed)
# cronova.dev - Public services
vault.cronova.dev {
reverse_proxy 100.68.63.168:8843
}
status.cronova.dev {
reverse_proxy localhost:3001
}
notify.cronova.dev {
reverse_proxy localhost:80
}
# <BUSINESS_DOMAIN> - Business services
<BUSINESS_DOMAIN> {
root * /var/www/<business>
file_server
}
<BUSINESS_DOMAIN> {
reverse_proxy localhost:8080
}
# Catch-all redirect
cronova.dev {
redir https://status.cronova.dev
}
<BUSINESS_DOMAIN> {
redir <BUSINESS_DOMAIN>
}
Unified Architecture Diagram
┌─────────────────────────────────────────────────────────────────────────┐
│ INTERNET │
│ │
│ cronova.dev <BUSINESS_DOMAIN> │
│ (Personal Homelab) (Business/Customers) │
└────────────────────────────────┬─────────────────────────────────────────┘
│
┌──────┴──────┐
│ Cloudflare │
│ DNS + CDN │
└──────┬──────┘
│
┌──────┴──────┐
│ VPS (Caddy) │
│100.77.172.46│
│ │
│ • DERP │
│ • Pi-hole │
│ • Uptime │
│ • ntfy │
│ • change │
│ detection │
│ • Restic │
└──────┬──────┘
│
[Tailscale Mesh]
100.64.0.0/10
│
┌──────────────────────┼──────────────────────┐
│ │ │
┌──────┴──────┐ ┌──────┴──────┐ ┌──────┴──────┐
│ Mobile Kit │ │Fixed Homelab│ │ (VPS) │
│ │ │ │ │ Already │
│ │ │ Mini PC │ │ shown │
│ │ │ (Proxmox) │ │ above │
│ │ │100.78.12.241│ │ │
│ │ │ │ └─────────────┘
│ │ │ ┌─────────┐ │
│ MacBook │ │ │OPNsense │ │
│ 100.64.0.2 │ │ │ VM │ │
│ • Tailscale │ │ └─────────┘ │
│ │ │ │
│ Beryl AX │ │ ┌─────────┐ │
│ 192.168.8.1 │ │ │Docker VM│ │
│ │ │ │Pi-hole │ │
│ Samsung A13 │ │ │Caddy │ │
│ (tether) │ │ │Jellyfin │ │
└─────────────┘ │ │*arr │ │
│ │HA │ │
│ │Vault │ │
│ └─────────┘ │
│ │
│ RPi 5 │
│ 192.168.0.20│
│ • OpenClaw │
│ │
│ RPi 4 │
│ 100.64.0.11 │
│ • Start9 │
│ • Bitcoin │
│ • Lightning │
│ │
│ NAS │
│ 100.82.77.97 │
│ • Samba │
│ • Syncthing │
│ • Frigate │
│ • Restic │
└─────────────┘
Improvement Roadmap
Phase 1: Critical Fixes (Before Deployment) ✅ COMPLETE
| # |
Task |
Deliverable |
Status |
| 1 |
Increase Headscale backup frequency |
Backup sidecar in docker-compose |
✅ Done |
| 2 |
Create disaster recovery runbook |
docs/strategy/disaster-recovery.md |
✅ Done |
| 3 |
Add MQTT broker to services |
Update services.md, compose file |
✅ Done |
| 4 |
Document Caddy configuration |
docs/guides/caddy-config.md |
✅ Done |
Phase 2: High Priority (During Deployment)
| # |
Task |
Deliverable |
Priority |
| 5 |
Document NAS hardware specs |
Update hardware.md |
High |
| 6 |
Create mobile kit compose files |
docker/mobile/ |
High |
| 7 |
Create VPS compose files |
docker/vps/ |
High |
| 8 |
Audit VPS RAM usage |
Document actual consumption |
High |
| 9 |
Plan domain DNS records |
Update domain-research.md |
High |
Phase 3: Medium Priority (Post-Deployment)
| # |
Task |
Deliverable |
Priority |
| 10 |
Document VLAN strategy |
docs/network-security.md |
Medium |
| 11 |
Configure monitoring alerts |
Uptime Kuma + ntfy rules |
Medium |
| 12 |
Create backup test procedure |
docs/guides/backup-test-procedure.md |
Medium |
| 13 |
Resolve port 8080 conflict |
Update services.md |
Medium |
Phase 4: Future Enhancements
| # |
Task |
Deliverable |
Priority |
| 14 |
Tailscale IP allocation policy |
Document in hardware.md |
Low |
| 15 |
Bitcoin node management guide |
docs/bitcoin-node.md |
Low |
| 16 |
Ansible playbooks |
ansible/ directory |
Low |
| 17 |
Unified network diagram tool |
Draw.io or Mermaid |
Low |
Service Inventory (24 Services)
By Category
| Category |
Services |
Count |
| Networking |
Headscale, Pi-hole (x3), Caddy, DERP |
6 |
| Media |
Jellyfin, Sonarr, Radarr, Prowlarr, qBittorrent |
5 |
| Bitcoin |
Bitcoin Core, LND, Electrum Server |
3 |
| Storage |
Samba, Syncthing |
2 |
| Security |
Vaultwarden, Frigate |
2 |
| Automation |
Home Assistant |
1 |
| Monitoring |
Uptime Kuma, ntfy |
2 |
| Backup |
Restic REST (x2) |
2 |
| Scraping |
changedetection |
1 |
| Git |
Forgejo |
1 |
Missing Services (To Add)
| Service |
Purpose |
Location |
Priority |
| Mosquitto |
MQTT broker for HA ↔ Frigate |
Docker VM |
Critical |
| Prometheus |
Metrics collection (optional) |
Docker VM |
Low |
| Grafana |
Metrics visualization (optional) |
Docker VM |
Low |
Cost Summary
Monthly
| Item |
Cost |
| VPS (Vultr) |
$6.00 |
| Domain (cronova.dev) |
Already owned |
| Domain () |
~$5.00 |
| Total |
~$11/mo |
Annual
| Item |
Cost |
| VPS |
$72.00 |
| cronova.dev |
Already owned |
|
~$60.00 |
| Total |
~$132/yr |
Critical Success Factors
These MUST work for the architecture to function:
| Factor |
Dependency |
Backup Plan |
| Headscale DB |
Entire mesh |
Hourly backups to NAS + VPS |
| Unbound on OPNsense |
Privacy DNS |
Fallback to public DNS |
| Restic encryption keys |
All backups |
Store in Vaultwarden + paper |
| Tailscale connectivity |
Inter-device comms |
DERP relay on VPS |
| OPNsense WAN bridged (vmbr0) |
Network isolation |
Bridged approach, no passthrough needed |
Decision Log
| Date |
Decision |
Rationale |
| 2026-01-14 |
cronova.dev for homelab |
Already owned, established brand, $0 additional cost |
| 2026-01-14 |
for business |
AI-first positioning, modern TLD |
| 2026-01-14 |
Both domains via Cloudflare |
At-cost pricing, DNS + CDN included |
| 2026-01-14 |
Public: vault, status, notify |
Need access from anywhere |
| 2026-01-14 |
Private: media, home, bitcoin |
Personal/sensitive data |
Next Actions
| Priority |
Action |
Blocks |
| 1 |
Purchase |
Nothing |
| 2 |
Create disaster recovery runbook |
Nothing |
| 3 |
Create Caddy config documentation |
Domain purchase |
| 4 |
Add MQTT to service inventory |
Nothing |
| 5 |
Create mobile kit compose files |
PSU arrival |
References